
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.6.3 release notes &#8212; Django 1.11.22.dev20190603194737 documentation</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Django 1.6.2 release notes" href="1.6.2.html" />
    <link rel="prev" title="Django 1.6.4 release notes" href="1.6.4.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.11.22.dev20190603194737 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.6.4.html" title="Django 1.6.4 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.6.2.html" title="Django 1.6.2 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.6.3">
            
  <div class="section" id="s-django-1-6-3-release-notes">
<span id="django-1-6-3-release-notes"></span><h1>Django 1.6.3 release notes<a class="headerlink" href="#django-1-6-3-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>April 21, 2014</em></p>
<p>Django 1.6.3 fixes several bugs in 1.6.2, including three security issues,
and makes one backwards-incompatible change:</p>
<div class="section" id="s-unexpected-code-execution-using-reverse">
<span id="unexpected-code-execution-using-reverse"></span><h2>Unexpected code execution using <code class="docutils literal notranslate"><span class="pre">reverse()</span></code><a class="headerlink" href="#unexpected-code-execution-using-reverse" title="Permalink to this headline">¶</a></h2>
<p>Django’s URL handling is based on a mapping of regex patterns
(representing the URLs) to callable views, and Django’s own processing
consists of matching a requested URL against those patterns to
determine the appropriate view to invoke.</p>
<p>Django also provides a convenience function – <code class="docutils literal notranslate"><span class="pre">reverse()</span></code> – which performs
this process in the opposite direction. The <code class="docutils literal notranslate"><span class="pre">reverse()</span></code> function takes
information about a view and returns a URL which would invoke that view. Use
of <code class="docutils literal notranslate"><span class="pre">reverse()</span></code> is encouraged for application developers, as the output of
<code class="docutils literal notranslate"><span class="pre">reverse()</span></code> is always based on the current URL patterns, meaning developers
do not need to change other code when making changes to URLs.</p>
<p>One argument signature for <code class="docutils literal notranslate"><span class="pre">reverse()</span></code> is to pass a dotted Python
path to the desired view. In this situation, Django will import the
module indicated by that dotted path as part of generating the
resulting URL. If such a module has import-time side effects, those
side effects will occur.</p>
<p>Thus it is possible for an attacker to cause unexpected code
execution, given the following conditions:</p>
<ol class="arabic simple">
<li>One or more views are present which construct a URL based on user
input (commonly, a “next” parameter in a querystring indicating
where to redirect upon successful completion of an action).</li>
<li>One or more modules are known to an attacker to exist on the
server’s Python import path, which perform code execution with side
effects on importing.</li>
</ol>
<p>To remedy this, <code class="docutils literal notranslate"><span class="pre">reverse()</span></code> will now only accept and import dotted
paths based on the view-containing modules listed in the project’s <a class="reference internal" href="../topics/http/urls.html"><span class="doc">URL
pattern configuration</span></a>, so as to ensure that only modules
the developer intended to be imported in this fashion can or will be imported.</p>
</div>
<div class="section" id="s-caching-of-anonymous-pages-could-reveal-csrf-token">
<span id="caching-of-anonymous-pages-could-reveal-csrf-token"></span><h2>Caching of anonymous pages could reveal CSRF token<a class="headerlink" href="#caching-of-anonymous-pages-could-reveal-csrf-token" title="Permalink to this headline">¶</a></h2>
<p>Django includes both a <a class="reference internal" href="../topics/cache.html"><span class="doc">caching framework</span></a> and a system
for <a class="reference internal" href="../ref/csrf.html"><span class="doc">preventing cross-site request forgery (CSRF) attacks</span></a>. The CSRF-protection system is based on a random nonce
sent to the client in a cookie which must be sent by the client on future
requests and, in forms, a hidden value which must be submitted back with the
form.</p>
<p>The caching framework includes an option to cache responses to
anonymous (i.e., unauthenticated) clients.</p>
<p>When the first anonymous request to a given page is by a client which
did not have a CSRF cookie, the cache framework will also cache the
CSRF cookie and serve the same nonce to other anonymous clients who
do not have a CSRF cookie. This can allow an attacker to obtain a
valid CSRF cookie value and perform attacks which bypass the check for
the cookie.</p>
<p>To remedy this, the caching framework will no longer cache such
responses. The heuristic for this will be:</p>
<ol class="arabic simple">
<li>If the incoming request did not submit any cookies, and</li>
<li>If the response did send one or more cookies, and</li>
<li>If the <code class="docutils literal notranslate"><span class="pre">Vary:</span> <span class="pre">Cookie</span></code> header is set on the response, then the
response will not be cached.</li>
</ol>
</div>
<div class="section" id="s-mysql-typecasting">
<span id="mysql-typecasting"></span><h2>MySQL typecasting<a class="headerlink" href="#mysql-typecasting" title="Permalink to this headline">¶</a></h2>
<p>The MySQL database is known to “typecast” on certain queries; for
example, when querying a table which contains string values, but using
a query which filters based on an integer value, MySQL will first
silently coerce the strings to integers and return a result based on that.</p>
<p>If a query is performed without first converting values to the
appropriate type, this can produce unexpected results, similar to what
would occur if the query itself had been manipulated.</p>
<p>Django’s model field classes are aware of their own types and most
such classes perform explicit conversion of query arguments to the
correct database-level type before querying. However, three model
field classes did not correctly convert their arguments:</p>
<ul class="simple">
<li><a class="reference internal" href="../ref/models/fields.html#django.db.models.FilePathField" title="django.db.models.FilePathField"><code class="xref py py-class docutils literal notranslate"><span class="pre">FilePathField</span></code></a></li>
<li><a class="reference internal" href="../ref/models/fields.html#django.db.models.GenericIPAddressField" title="django.db.models.GenericIPAddressField"><code class="xref py py-class docutils literal notranslate"><span class="pre">GenericIPAddressField</span></code></a></li>
<li><code class="docutils literal notranslate"><span class="pre">IPAddressField</span></code></li>
</ul>
<p>These three fields have been updated to convert their arguments to the
correct types before querying.</p>
<p>Additionally, developers of custom model fields are now warned via
documentation to ensure their custom field classes will perform
appropriate type conversions, and users of the <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.raw" title="django.db.models.query.QuerySet.raw"><code class="xref py py-meth docutils literal notranslate"><span class="pre">raw()</span></code></a> and <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.extra" title="django.db.models.query.QuerySet.extra"><code class="xref py py-meth docutils literal notranslate"><span class="pre">extra()</span></code></a> query methods – which allow the
developer to supply raw SQL or SQL fragments – will be advised to ensure they
perform appropriate manual type conversions prior to executing queries.</p>
</div>
<div class="section" id="s-select-for-update-requires-a-transaction">
<span id="select-for-update-requires-a-transaction"></span><h2><code class="docutils literal notranslate"><span class="pre">select_for_update()</span></code> requires a transaction<a class="headerlink" href="#select-for-update-requires-a-transaction" title="Permalink to this headline">¶</a></h2>
<p>Historically, queries that use
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.select_for_update" title="django.db.models.query.QuerySet.select_for_update"><code class="xref py py-meth docutils literal notranslate"><span class="pre">select_for_update()</span></code></a> could be
executed in autocommit mode, outside of a transaction. Before Django
1.6, Django’s automatic transactions mode allowed this to be used to
lock records until the next write operation. Django 1.6 introduced
database-level autocommit; since then, execution in such a context
voids the effect of <code class="docutils literal notranslate"><span class="pre">select_for_update()</span></code>. It is, therefore, assumed
now to be an error and raises an exception.</p>
<p>This change was made because such errors can be caused by including an
app which expects global transactions (e.g. <a class="reference internal" href="../ref/settings.html#std:setting-DATABASE-ATOMIC_REQUESTS"><code class="xref std std-setting docutils literal notranslate"><span class="pre">ATOMIC_REQUESTS</span></code></a> set to <code class="docutils literal notranslate"><span class="pre">True</span></code>), or Django’s old autocommit
behavior, in a project which runs without them; and further, such
errors may manifest as data-corruption bugs.</p>
<p>This change may cause test failures if you use <code class="docutils literal notranslate"><span class="pre">select_for_update()</span></code>
in a test class which is a subclass of
<a class="reference internal" href="../topics/testing/tools.html#django.test.TransactionTestCase" title="django.test.TransactionTestCase"><code class="xref py py-class docutils literal notranslate"><span class="pre">TransactionTestCase</span></code></a> rather than
<a class="reference internal" href="../topics/testing/tools.html#django.test.TestCase" title="django.test.TestCase"><code class="xref py py-class docutils literal notranslate"><span class="pre">TestCase</span></code></a>.</p>
</div>
<div class="section" id="s-other-bugfixes-and-changes">
<span id="other-bugfixes-and-changes"></span><h2>Other bugfixes and changes<a class="headerlink" href="#other-bugfixes-and-changes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Content retrieved from the GeoIP library is now properly decoded from its
default <code class="docutils literal notranslate"><span class="pre">iso-8859-1</span></code> encoding
(<a class="reference external" href="https://code.djangoproject.com/ticket/21996">#21996</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">AttributeError</span></code> when using
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.bulk_create" title="django.db.models.query.QuerySet.bulk_create"><code class="xref py py-meth docutils literal notranslate"><span class="pre">bulk_create()</span></code></a> with <code class="docutils literal notranslate"><span class="pre">ForeignObject</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/21566">#21566</a>).</li>
<li>Fixed crash of <code class="docutils literal notranslate"><span class="pre">QuerySet</span></code>s that use <code class="docutils literal notranslate"><span class="pre">F()</span> <span class="pre">+</span> <span class="pre">timedelta()</span></code> when their query
was compiled more once
(<a class="reference external" href="https://code.djangoproject.com/ticket/21643">#21643</a>).</li>
<li>Prevented custom <code class="docutils literal notranslate"><span class="pre">widget</span></code> class attribute of
<a class="reference internal" href="../ref/forms/fields.html#django.forms.IntegerField" title="django.forms.IntegerField"><code class="xref py py-class docutils literal notranslate"><span class="pre">IntegerField</span></code></a> subclasses from being overwritten by the
code in their <code class="docutils literal notranslate"><span class="pre">__init__</span></code> method
(<a class="reference external" href="https://code.djangoproject.com/ticket/22245">#22245</a>).</li>
<li>Improved <a class="reference internal" href="../ref/utils.html#django.utils.html.strip_tags" title="django.utils.html.strip_tags"><code class="xref py py-func docutils literal notranslate"><span class="pre">strip_tags()</span></code></a> accuracy (but it still cannot
guarantee an HTML-safe result, as stated in the documentation).</li>
<li>Fixed a regression in the <a class="reference internal" href="../ref/contrib/gis/index.html#module-django.contrib.gis" title="django.contrib.gis: Geographic Information System (GIS) extensions for Django"><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.contrib.gis</span></code></a> SQL compiler for
non-concrete fields (<a class="reference external" href="https://code.djangoproject.com/ticket/22250">#22250</a>).</li>
<li>Fixed <a class="reference internal" href="../ref/contrib/admin/index.html#django.contrib.admin.ModelAdmin.preserve_filters" title="django.contrib.admin.ModelAdmin.preserve_filters"><code class="xref py py-attr docutils literal notranslate"><span class="pre">ModelAdmin.preserve_filters</span></code></a> when running a site with
a URL prefix (<a class="reference external" href="https://code.djangoproject.com/ticket/21795">#21795</a>).</li>
<li>Fixed a crash in the <code class="docutils literal notranslate"><span class="pre">find_command</span></code> management utility when the <code class="docutils literal notranslate"><span class="pre">PATH</span></code>
environment variable wasn’t set
(<a class="reference external" href="https://code.djangoproject.com/ticket/22256">#22256</a>).</li>
<li>Fixed <a class="reference internal" href="../ref/django-admin.html#django-admin-changepassword"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">changepassword</span></code></a> on Windows
(<a class="reference external" href="https://code.djangoproject.com/ticket/22364">#22364</a>).</li>
<li>Avoided shadowing deadlock exceptions on MySQL
(<a class="reference external" href="https://code.djangoproject.com/ticket/22291">#22291</a>).</li>
<li>Wrapped database exceptions in <code class="docutils literal notranslate"><span class="pre">_set_autocommit</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/22321">#22321</a>).</li>
<li>Fixed atomicity when closing a database connection or when the database server
disconnects (<a class="reference external" href="https://code.djangoproject.com/ticket/21239">#21239</a> and <a class="reference external" href="https://code.djangoproject.com/ticket/21202">#21202</a>)</li>
<li>Fixed regression in <code class="docutils literal notranslate"><span class="pre">prefetch_related</span></code> that caused the related objects
query to include an unnecessary join
(<a class="reference external" href="https://code.djangoproject.com/ticket/21760">#21760</a>).</li>
</ul>
<p>Additionally, Django’s vendored version of six, <a class="reference internal" href="../topics/python3.html#module-django.utils.six" title="django.utils.six"><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.utils.six</span></code></a> has been
upgraded to the latest release (1.6.1).</p>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.6.3 release notes</a><ul>
<li><a class="reference internal" href="#unexpected-code-execution-using-reverse">Unexpected code execution using <code class="docutils literal notranslate"><span class="pre">reverse()</span></code></a></li>
<li><a class="reference internal" href="#caching-of-anonymous-pages-could-reveal-csrf-token">Caching of anonymous pages could reveal CSRF token</a></li>
<li><a class="reference internal" href="#mysql-typecasting">MySQL typecasting</a></li>
<li><a class="reference internal" href="#select-for-update-requires-a-transaction"><code class="docutils literal notranslate"><span class="pre">select_for_update()</span></code> requires a transaction</a></li>
<li><a class="reference internal" href="#other-bugfixes-and-changes">Other bugfixes and changes</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="1.6.4.html"
                        title="previous chapter">Django 1.6.4 release notes</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="1.6.2.html"
                        title="next chapter">Django 1.6.2 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.6.3.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Jun 03, 2019</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.6.4.html" title="Django 1.6.4 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.6.2.html" title="Django 1.6.2 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>